The finding comes from a first-ever survey, the ASX 100 Cyber Health Check Report, released this week by the Australian government. Seventy-six of Australia's 100 largest companies by market capitalization on the Australian Securities Exchange (ASX) participated.

Only 29 percent say they're "very confident" that they can detect and respond to an intrusion with minimal operational impact. The surveyed companies are not named, and their responses are aggregated.

"This may be partly because cyber risk is increasing and becoming more complex, as well as a greater recognition of the potential costs," according to the survey. "It may also be due to a traditional focus on protection rather than detection and response capabilities."

Question: Are you confident in your organization's
ability to detect, respond and manage a
cyber intrusion to minimize impact to
your business? Source: ASX 100

Still, the broad trends illustrated by the survey are positive, says Shane Bell, forensic and cyber director of the technology advisory firm McGrathNicol. Many companies have cybersecurity training and considered how they would notify customers about a data breach.

"It shows you that this [cybersecurity] is on the agenda in boards," Bell says. "You want people to be talking about this. Most of our top listed companies are concerned this isn't something that is going away."

The report comes a year after the Australian government launched a refreshed cybersecurity strategy that's designed to put the country on a stronger footing in the face of increasing threats (see Is Australia Spending Enough on Cybersecurity?).

Cyber Risk Increasing

Australia pledged in April 2016 to spend AU$230 million (US$173 million) over the next four years on a range of initiatives to bolster the country's cybersecurity stance. That includes fostering a homegrown cybersecurity industry, better threat information sharing and helping businesses defend against hackers.

It's estimated cybercrime costs the Australian economy a minimum of $1 billion a year, although the figure the figure could be as high as $17 billion.

The survey is a mix of findings, some good and others more worrying. More than 80 percent of companies expected the likelihood "of cyber risk to increase within the short term."

The report is significant in that it has taken the cybersecurity pulse of large Australian companies, says Jeff Paine, CEO and managing director of ResponSight, a data breach prevention firm based in Melbourne.

"There seems to be a feeling of reasonable capability in terms of what we are spending and what we're able to do in terms of detection and prevention," Paine says. "But at the same time a feeling we're only sort of a bit confident" about stopping breaches.

Third-Party Risk

Some 88 percent of boards now receive reports on cyber incidents, with 21 percent of those respondents establishing reporting procedures within the last year. But more than half of directors, 54 percent, contend that those reports contain only basic information.

Also of increasing concern is how attackers look for weaknesses in the networks of a company's partners. Those partners may have weaker security controls, making it possible to breach the intended victim.

This is how Target saw 40 million payment card details stolen in 2013. Attackers hacked a company specializing in supermarket refrigeration systems that maintained a data connection with Target. Eventually, attackers managed to install malware within Target's payment systems.

A third of survey respondents say they've not evaluated the cyber defenses of their suppliers or customers who have connections to their systems. Plus, only 37 percent have a "clear understanding of their own key information assets," the report says.

Paine says that's concerning. "The board doesn't have a good understanding of where the data is," he says. "I think that goes to the core of what you're trying to protect."

If a partner is responsible for a data breach, regulators will look to the company with the customer relationship. Not knowing where data resides is problematic, says Peter Malan, a partner with PwC's cybersecurity practice.

"If you have a breach, it's going to make it difficult to properly respond to that legislation," Malan says.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;